FTC says Avast promised privacy, but pirated consumers’ data for treasure lfair February 22, 2024 | 12:08AM FTC says Avast promised privacy, but pirated consumers’ data for treasure By Lesley Fair When uttered by a pirate, “Avast!” is a nautical term for “Listen up and cut it out.” And when the FTC says “Avast!” to software company Avast, it means the same thing. UK-based Avast Limited told consumers that using its software would protect their privacy by preventing the tracking and collection of their browser information. But according to the FTC, from 2014 to 2020, guess who was tracking consumers’ browser information and then selling it to more than 100 other companies through an affiliate called Jumpshot? Ironically enough, Avast Limited. We’re not sure how much the $16.5 million financial remedy is in doubloons, but we hope the terms of the proposed settlement will remind other companies to relegate conduct like that to Davy Jones’ Locker. For consumers concerned about their privacy, Avast’s claims for its anti-virus software and browser extensions were attention-getters. The company promised its products would block “annoying tracking cookies that collect data on your browsing activities.” In a major app store, the company pitched its Avast Mobile Software as way for consumers to “secure your device” by getting “alerted when you install spyware and adware apps that violate your privacy by sending your personal data to their servers.” In describing its desktop software, Avast promised it would “shield your privacy” and “stop anyone and everyone from getting to your computer.” Avast also told people that its software would allow them to “reclaim your browser. Get rid of unwanted extensions and hackers making money off your searches.” The company’s marketing hook for its Avast Secure Browser was its anti-tracking capabilities, promising it would “protect[] your privacy by preventing websites, advertising companies, and other web services from tracking your online activity.” It’s an irony not lost on the FTC that Avast made those privacy promises while trafficking in consumers’ browser histories. You’ll want to read the complaint for details about what Avast was allegedly up to behind the scenes, but part of the story relates to its acquisition of antivirus business Jumpshot in 2014. Avast rebranded Jumpshot as an analytics company, which advertised that its “[m]ore than 100 million online consumers worldwide” would give Jumpshot’s clients “unique insights to make better business decisions.” Jumpshot further claimed to give its clients the ability to “see where your audience is going before and after they visit your site or your competitors’ sites, and even track those who visit a specific URL.” Of course, Jumpshot’s source of that massive amount of data about people’s browsing information – some of it highly personal in nature – that it sold to advertising companies, data brokers, individual brands, search engine optimizing outfits, and others looking for detailed information about consumers’ browsing histories was Avast, the company that pitched its products as a solution to intrusive online surveillance. According to the complaint, Jumpshot provided its clients with “extraordinary detail regarding how consumers navigated the Internet, including each webpage visited, precise timestamp, the type of device and browser, and the city, state, and country.” What’s more, most of the data included a unique and persistent device identifier, which allowed Jumpshot and its clients to trace individuals across multiple domains over time. The FTC says that included in the information Jumpshot sold was data about consumers’ visits to sites about religious matters, political candidates, health concerns like breast cancer, jobs at secure military facilities, student loan application information, dating interests, and sites of an adult nature. The complaint puts it this way: “The vast majority of consumers would not know that the Avast Software would surveil their every move on the Internet or that their browsing information might be sold to more than 100 third parties and stored indefinitely, in granular, re-identifiable form.” In many instances, Avast didn’t disclose its data sharing practices at all, but even when it did, the FTC alleges its “disclosures” – for example, hard-to-find and hard-to-understand statements in its privacy policy – weren’t truthful. For example, at one point, Avast’s privacy policy said that any browsing information shared with third parties would be anonymized and in aggregate form. Not so, says the FTC. According to the complaint, the data Avast sold through Jumpshot included astonishing detail about individual consumers’ browsing habits. In addition, contrary to the express promises Avast made to consumers who downloaded its products, Jumpshot’s agreements with some of its clients made it clear that those companies intended to “re-associate” the data it bought with individual consumers for the purposes of targeting and tracking. The proposed complaint, which names Avast Limited, Avast Software s.r.o., and Jumpshot, Inc., alleges that the companies violated the FTC Act by unfairly collecting, retaining, and selling consumers’ browsing information; deceptively failing to disclose they were tracking consumers; and misrepresenting that consumers’ browsing information would be shared only in an aggregate and anonymous form when that wasn’t the truth. In addition to the $16.5 million financial remedy that the FTC intends to use for consumer redress, the proposed order includes far-reaching provisions designed to address the injury the companies inflicted on consumers who downloaded their products and to protect people in the future. Among other things, the proposed settlement will ban the sale or disclosure of Avast users’ browsing information to third parties for advertising purposes. That includes any insights, models, or algorithms derived from that data. The order also prohibits the use of consumers’ browsing information for third-party advertising without consumers’ affirmative express consent. In addition, the respondents must delete certain browsing information, including any models, algorithms, or software developed using that data, and instruct third parties to delete the data, too. To make sure consumers are aware of what Avast was up to behind the scenes, the company must post a notice on its websites and notify consumers via email. Avast also must implement a comprehensive privacy program subject to outside assessments. Once the proposed settlement is published in the Federal Register, the FTC will accept public comments for 30 days. Whether you’re a young bucko or an old salt, the FTC’s action against Avast contains guidance to help prevent your company from running aground in a law enforcement shipwreck. All companies must honor their privacy promises, but that holds especially true for businesses that pitch their products as a way for consumers to protect their privacy. There aren’t enough r’s in “Arrrrrrrgghh” to convey the FTC’s concern about a company that advertises its products as a means for people to maintain their privacy online, and then double-crosses them by selling their highly personal browsing information. The irony – and injury – in this case is alarming and the FTC will give no quarter when businesses lie to consumers about how their personal information will be protected. You can’t promise privacy to consumers and then go full speed ahead in your contracts with clients. In some cases, the FTC says contracts with third-party clients didn’t prohibit those companies from re-identifying Avast users based on data that Jumpshot provided. In other instances, Jumpshot products were designed to allow clients to track specific users or even to associate specific users and their browsing histories with other information those clients had. The scope of the consumer data Jumpshot sold is almost unfathomable. For example, in its contract with advertising giant Omnicom, Jumpshot agreed to provide its “All Clicks Feed” – all URLs clicked during a particular person’s browsing session – for 50% of its entire user base in the U.S., UK, Mexico, Australia, Canada, and Germany across all domains. Browsing data is a category of highly sensitive information that demands the utmost care. Recent FTC actions have focused on the confidential nature of certain categories of consumer data – for example, health information or geolocation. But a consumer’s browsing information is highly sensitive, too. Data about the websites a person visits isn’t just another corporate asset open to unfettered commercial exploitation.